diff --git a/scm-webapp/src/main/java/sonia/scm/security/AnonymousRealm.java b/scm-webapp/src/main/java/sonia/scm/security/AnonymousRealm.java
index 16ecead815..f443e09710 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/AnonymousRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/AnonymousRealm.java
@@ -6,12 +6,12 @@ import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
 import org.apache.shiro.realm.AuthenticatingRealm;
-import sonia.scm.ConfigurationException;
 import sonia.scm.SCMContext;
 import sonia.scm.plugin.Extension;
 import sonia.scm.user.UserDAO;
 
 import javax.inject.Singleton;
+import javax.ws.rs.NotAuthorizedException;
 
 import static com.google.common.base.Preconditions.checkArgument;
 
@@ -43,7 +43,7 @@ public class AnonymousRealm extends AuthenticatingRealm {
   @Override
   protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
     if (!userDAO.contains(SCMContext.USER_ANONYMOUS)) {
-     throw new ConfigurationException("trying to access anonymous but _anonymous user does not exist");
+     throw new NotAuthorizedException("trying to access anonymous but _anonymous user does not exist");
     }
     checkArgument(authenticationToken instanceof AnonymousToken, "%s is required", AnonymousToken.class);
     return helper.authenticationInfoBuilder(SCMContext.USER_ANONYMOUS).build();
diff --git a/scm-webapp/src/test/java/sonia/scm/security/AnonymousRealmTest.java b/scm-webapp/src/test/java/sonia/scm/security/AnonymousRealmTest.java
index 1a67ea192c..24dcef3ec8 100644
--- a/scm-webapp/src/test/java/sonia/scm/security/AnonymousRealmTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/AnonymousRealmTest.java
@@ -8,10 +8,11 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import sonia.scm.ConfigurationException;
 import sonia.scm.SCMContext;
 import sonia.scm.user.UserDAO;
 
+import javax.ws.rs.NotAuthorizedException;
+
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.when;
@@ -56,7 +57,7 @@ class AnonymousRealmTest {
   @Test
   void shouldThrowNotAuthorizedExceptionIfAnonymousUserNotExists() {
     when(userDAO.contains(SCMContext.USER_ANONYMOUS)).thenReturn(false);
-    assertThrows(ConfigurationException.class, () -> realm.doGetAuthenticationInfo(new AnonymousToken()));
+    assertThrows(NotAuthorizedException.class, () -> realm.doGetAuthenticationInfo(new AnonymousToken()));
   }
 
   @Test